こんな感じのテンプレートで表題のエラーが発生。
LaboLambdaRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: "LaboLambdaRole"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
- Effect: Allow
Action: s3:ListAllMyBuckets
Resource: "arn:aws:s3:::*"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
エラー
An error occurred: LaboLambdaRole - Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 11ee95fd-xxxx-xxxx-xxxx).
結論
AssumeRolePolicyDocument は AssumeRole のためのセクションであり Resource は定義できない。
AWS::IAM::Policy を利用する。
LaboLambdaRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: "LaboLambdaRole"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess
LaboLambdaRolePolicies:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: s3:ListAllMyBuckets
Resource: "arn:aws:s3:::*"
Roles:
-
Ref: "LaboLambdaRole"